February 2026 vulnerability: What happened?

In February 2026, a vulnerability in Metabase's notification API was reported by security researcher Sho Odagiri, allowing authenticated users to craft templates that could extract database connection details and send them via email. Although there is no evidence of exploitation before the fix, this vulnerability arose from two independent changes: the introduction of user-supplied Handlebars templates for emails and the addition of metadata objects in query results, which inadvertently allowed access to sensitive data. Metabase addressed the issue by locking down the Handlebars template engine and stripping metadata from query results, and they urge users on self-hosted versions to upgrade to the fixed versions. As a preventive measure, Metabase is enhancing logging, wrapping database credential access, and tightening template evaluation to mitigate future risks.